First step is probably "don't look too closely" (:
I agree though — I would not want this thing doing who-knows-what-unverifiable-fiddling with my data and credentials.